Information systems risk assessment

The integrity of information systems you use to support your business affects the accuracy and completeness of your reporting and lodgement activities.

We use an information systems risk assessment (ISRA) to gain a high-level overview of your information systems. Using a standardised questionnaire, we can develop a risk rating for key elements of your business operations. We usually undertake an ISRA as part of a larger review or audit. It contributes to our compliance activities by giving us confidence about integrity of your business systems, processes and controls by measuring their accuracy and completeness.

We have developed a process that provides a structured approach for assessing your information systems risks. It is based on the guidelines and assurance frameworks set out by the Information Systems Control Association and the IT Governance Institute.

Benefits of an ISRA

Using an ISRA in audits and other compliance activities can help you by:

providing an efficient way to help you understand your business, its systems and processes

highlighting any compliance risks and providing recommendation to mitigate them.

When we do an ISRA

When we consider whether to use an ISRA, we generally start by talking with you and gaining an understanding of your business activities. We look at whether your business:

has experienced mergers and acquisitions

has had rapid growth

has disparate, multiple systems that are loosely integrated

has had a high turnover of IT staff or relies heavily on temporary IT contractors for systems development and support

uses out-dated or unsupported software

uses in-house developed systems

has a history of IT project overruns and other difficulties

has a history of BAS amendments due to systems issues

has a history of voluntary disclosures caused by systems issues.

What you need to do

Preparing for your ISRA

We start with an interview, conducted by a compliance officer and systems specialist from our office.

Make sure the right staff are available to answer questions about your business systems – these may include system accountants, tax managers, system architects and support staff, external IT service providers or IT project managers.

We will be asking questions that focus on the history of your business, including planning, support, change management and other systems management functions.

Before the interview, we will:

establish with you who will be involved in the interview

negotiate an interview date that suits all participants

negotiate with you to obtain systems architecture diagrams and other supporting documents – ideally you will provide this information well ahead of the interview.

ISRA questionnaire

An ISRA questionnaire is a standardised questionnaire focused on those aspects of your information technology (IT) systems that relate to tax and regulatory compliance. The questionnaire has the five auditable units with a series of questions weighted according to a predetermined risk rating:

systems inventory to assess the size and complexity of your IT environment

interface inventory to understand the extent of data manipulation and the complexity of data mapping

customisation inventory to assess the level of customisation across all systems to determine the risk level

IT projects and methodologies to assess the maturity level of your IT systems and the business processes they support

IT governance to gauge the adequacy of your internal policies, procedures and methodologies for effective and productive management of the IT function within your business.

ISRA interview

In the interview, we will identify and record responses for each question. By discussing these questions and your business systems and process, we can understand your business systems, processes and controls.

We record your ISRA responses in the taxpayer version of the questionnaire and seek your agreement that the responses are correct. When the questionnaire is complete, we use the questionnaire responses to generate a risk rating profile with low, medium or high risk ratings. These ratings will be included in the report.

ISRA report

We prepare a final report that:

incorporates your feedback

details our findings including recommendations to address the issues we identified that may impact on the accuracy and completeness of your reporting.

Final interview

We have a final meeting with you to discuss the final report, where you will have the opportunity to work through the findings and offer any comment.

Our commitment to you

We are committed to providing you with accurate, consistent and clear information to help you understand your rights and entitlements and meet your obligations.

If you follow our information and it turns out to be incorrect, or it is misleading and you make a mistake as a result, we will take that into account when determining what action, if any, we should take.

Some of the information on this website applies to a specific financial year. This is clearly marked. Make sure you have the information for the right year before making decisions based on that information.

If you feel that our information does not fully cover your circumstances, or you are unsure how it applies to you, contact us or seek professional advice.